[wp-trac] [WordPress Trac] #34575: shortcode not working in html comments
WordPress Trac
noreply at wordpress.org
Thu Nov 5 15:49:00 UTC 2015
#34575: shortcode not working in html comments
-----------------------------+----------------------
Reporter: distinct | Owner:
Type: feature request | Status: closed
Priority: normal | Milestone:
Component: Shortcodes | Version: 4.3.1
Severity: normal | Resolution: invalid
Keywords: | Focuses:
-----------------------------+----------------------
Comment (by aaroncampbell):
Hey @distinct, I just wanted to weigh in here and help explain why this
isn't something that we're going to change. The full explanation is long
and involved, having to do with the history of shortcodes, the mistakes
that were made there, as well as all the various potential attack vectors
they present and which ones are more or less in our control to fix. I'm
going to try to keep this simple and short here though, because there has
already been much discussion around it that you can find and read.
The problem comes into view when a user that should not be able to use
certain HTML (such as a contributor) uses a shortcode that generates
certain HTML. This is because the checks that limit that user's content
happen on save and shortcodes aren't replaced with content at that point.
The content of the shortcode is only handled on DISPLAY, so we have to
deal with the content at that point. The most dangerous possible vectors
there come from inserting code that is INSIDE HTML tags (including HTML
comments). This is why we can't change to parse shortcodes inside HTML
comments or tags.
I understand that you have a usecase where it would be nice to use a
shortcode as a solution, but we can't safely have shortcodes do that so
you'll need to find another way to do what you want.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34575#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list